Wednesday, May 16, 2007

That is so like him

Motivated by a thread on 'reputation' (i.e. what it is, what it isn't) on the ID Gang list, I found Phil Windley's paper on Pythia - described as a 'general-purpose framework .... for building reputation systems'.

Very interesting reading. Hilites were

Reputation is calculated. For our purposes, reputation can be represented as function:

Ru = Frp(Iu,Txu,u',Eu)


rp is the relying party's identifier
u is the user id
u' is all users
Iu is a vector of verified identifiers for u
Txu,u' is a vector of transactions between u and every other user in the system
Eu is a vector of ratings and endorsements for u
This captures for me the two fundamental aspects of reputation, namely
  1. that a reputation is calculated or estimated.
  2. that a 'Y's reputation for being X' is determined by aggregating the opinions of many other Z's on 'just how X Y actually is'. If there is just a single Z in the calculation, then that's an opinion, not a reputation.

Later on
The framework is identity system neutral. Pythia is not an identity system, but is meant to rely on one or more existing identity systems for authentication and user IDs. As implemented, Pythia uses OpenID as an authentication mechanism, but other authentication systems could also be used.

I can easily see Liberty's ID-WSF applied. Instead of the reputation request being set over a RESTful API, it would be sent as an SOAP message. Other than that, the model would be the same

A reputation request consists of a digital identifier representing the relying party making the request, the digital identifier representing the subject of the request, and a rule set identifier. To complete the request, the reputation server looks up the rule set requested by the relying party and executes that rule set for subject of the request. The result of the reputation calculation is then returned for the relying party to act upon.

Likewise for the feedback mechanism.

The paper uses blog commenting as a representative use case. The model is that reputation of the erstwhile commenter feeds into the access control decision on whether their comment should be accepted. There are lots of similar use cases in which the user in question is online and attempting to 'do something', e.g. see pictures, add to calendar, etc.

Are there use cases where the reputation of a user is required, but that user isn't themselves online and initiating the transaction? How about:

'Find the current location of all geocachers within 10km of myself with an 'environment friendly' score greater than 9'

'Find me all sys admins looking for work with a reputation for being a workaholic exceeding 75%'

1 comment:

Phil Windley said...

Hi Paul. Thanks for pointing to our paper. Here's a more recent (PDF) version with many more references:

This doesn't yet describe our most recent work on calculating reputations for OpenIDs as a substitute for explicit authorizations.